Microsoft Word vulnerability: hackers can use the automatic update link to install the malicious software-vulnerability warning-the black bar safety net

ID MYHACK58:62201788704
Type myhack58
Reporter 佚名
Modified 2017-08-20T00:00:00


According to foreign media news, the SANS Internet Center a freelance security consultant and Handler in Microsoft Word, found a very interesting vulnerability that allows an attacker to abuse the Word program to automatically update the link function. This is one of the default start function, when a user adds an external source the link, Word will automatically update the links without any prompt.

Security consultant Xavier Martens in his blog post explaining the vulnerability:“the infected carrier file may,'N_Order the # xxxxx.docx with 5 random numbers as the attachment is received, it has the link embedded into another file, this is an attempt to exploit Vulnerability CVE 2017-0199 the malicious RTF file.”

CVE 2017-0199 is a high-risk vulnerability that allows hackers when the user opens that contains the embedded document to download and execute the included PowerShell commands Visual Basic script. In addition, FireEye also observed in the Office documents using CVE 2017-0199 downloaded from various well-known malware family of executable malware.

Use CVE 2017-0199, the Word file can access malicious RTF file, and if successful, it will automatically download a JavaScript payload, and the link of the update without user interaction trigger, it will not be for the user to issue operating tips warning.

This seems to be caused by a malware generation dai li commercial concern, in addition to FireEye found CVE 2017-0199 has been the use of addition, Trend Micro also discovered this problem, they said“the use of CVE 2017-0199 can get the abuse of a PowerPoint slide of the method, we first found that this method of use.” However, if the user in 4 months time to update the CVE 2017-0199 patch, can be protected from this attack threat.